Network update and GIVC TLS

[mbssrc]

Description of changes

This patch re-works the networking and enables TLS for GIVC.

Updates

• update flake inputs: givc, ctrl-panel

Usage of nixos-rebuild requires a proxy jump. This can be done by

• adding a proxy-jump ssh configuration to your dev machine, such as

programs = {
  ssh = {
    startAgent = true;
    extraConfig = ''
      host ghaf-netvm
        user root
        hostname <target-ip>
      host ghaf-host
         user root
         hostname 192.168.100.2
         proxyjump ghaf-netvm
    '';
  };
};

• export the NIX_SSHOPTS environment variable before using nixos-rebuild:
  export NIX_SSHOPTS="-o ProxyJump=root@<your-target-ip>"

• using the new helper in the Ghaf devshell ghaf-rebuild that does it for you.
  Usage: ghaf-rebuild [regular nixos-rebuild options]
  Example: ghaf-rebuild 192.168.0.123 .#lenovo-x1-carbon-gen11-debug switch

This applies to all targets.

Exceptions:
Connecting to the host directly is possible in the following cases:
- AGX if connected via physical ethernet port
- X1 and AGX/NX if net-vm is stopped (ethernet dongle should then be attached to the host)

Changes to networking

• auto-generate IP and MAC addresses
• remove 'debug' network from ghaf. We can later remove
  the host from network in release and facilitate communication
  over mem share and/or vsock

Note that

• the ghaf-host-debug name no longer exists
• all VMs + host run in 192.168.100.0 subnet
  - you may need to change your proxy jumps to adjust for the changed ghaf-host address (192.168.100.2)
• all VMs are reachable through their host name

Changes to givc

• enable tls
• enable multiple admin service interfaces
• centralize givc-cli arguments across ghaf

Checklist for things done

• Summary of the proposed changes in the PR description
• More detailed description in the commit message(s)
• Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• PR linked to architecture documentation and requirement(s) (ticket id)
• Test procedure described (or includes tests). Select one or more:
  • Tested on Lenovo X1 x86_64
  • Tested on Jetson Orin NX or AGX aarch64
  • Tested on Polarfire riscv64
• Author has run make-checks and it passes
• All automatic Github Action checks pass - see actions
• Author has added reviewers and removed PR draft status
• Change requires full re-installation
• Change can be updated with nixos-rebuild ... switch

Instructions for Testing

• List all targets that this applies to: Lenovo X1
• Is this a new feature
  • System boots
  • GIVC certificates are available everywhere in "/etc/givc" and "/run/givc" in gui-vm
  • Test that all apps + functionality works as before
  • Test that all VMs and host are reachable in the network
  • Regression testing for nvidia targets
• If it is an improvement how does it impact existing functionality?

[mbssrc]

39b4699 Updates:

• rebase to latest
• address review comments
• change the way keys/certificates are packaged. Now they are stored in /storagevm/givc folder as images, so they can be mounted read-only into VMs. This allows to preserve "stateless" VMs such as zathura.
• move the host folder generation to no be guarded by unsafe shares

[johannarautanen]

Checked with native Orin AGX:

Working:

• you can sign in to Element if you activate the wifi in Orin AGX(net-vm)
• and when you stop the net-vm via ghaf-host, you can sign to Element via physical ethernet or USB-ethernet adapter connection. And after that you can also connect ghaf-host from remote laptop.
• can only connect with net-vm or ghaf-host. net-vm-debug or ghaf-host-debug are not working anymore
• IP's 192.168.100.1 and 192.168.100.2 working. OId IP's not working anymore (192.168.101.1 or 192.168.101.2)
• all 4 application can be launched

[johannarautanen]

Checked with native Orin NX:

• When attached the ethernet to the physical port (net-vm) the Ghaf time updated.
• can sign to the element-app
• and when the net-vm is closed via ghaf-host, you can sign to the Element when USB-ethernet adapter (ghaf-host) is used.
• can only connect with net-vm or ghaf-host. net-vm-debug or ghaf-host-debug are not working anymore
• IP's 192.168.100.1 and 192.168.100.2 working. OId IP's not working anymore (192.168.101.1 or 192.168.101.2)
• all 4 application can be launched

[milva-unikie]

Tested on Lenovo-X1 (full re-installation)

New issues:

• VPN does not work any more. I am able to connect to VPN with the app but can't access jira.tii.ae in Trusted Browser.

Previous issues have been fixed:

• Host clock is now synchronized.
• Logs are sent to Grafana.

Notes:

• I confirmed that the boot issue I reported earlier is not related to this pr.
• Test-automation fix has been updated to the latest changes. Most of the bat-tests pass on X1, but many still need more reworking. Orins have not yet been tested. Update network connections ci-test-automation#222

[mbssrc]

Tested on Lenovo-X1 (full re-installation)

New issues:

* VPN does not work any more. I am able to connect to VPN with the app but can't access jira.tii.ae in Trusted Browser.

Cannot reproduce the VPN error on my side. Also can't think of a reason how it could be affected. Please check again.

[milva-unikie]

Cannot reproduce the VPN error on my side. Also can't think of a reason how it could be affected. Please check again.

tldr: works now

It definitely was not working yesterday or this morning. I re-installed and still nothing. And then suddenly it started working and has now worked for an hour. After it started working I tried again to re-install and this time it worked right away. No idea what happened but should be good now. Sorry about the confusion.

done